Merge pull request #4284 from ryanpetrello/more-event-sanitization-tweaks

only sanitize project update events for the scm modules
2026-03-24 12:25:01 -02:30 · 2020-05-01 11:48:24 -04:00
parent 99c7f2f70d bf65b40241
commit cd21dd69f5
2 changed files with 21 additions and 11 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -3899,15 +3899,23 @@ class ProjectUpdateEventSerializer(JobEventSerializer):
        return UriCleaner.remove_sensitive(obj.stdout)
    def get_event_data(self, obj):
-        try:
+        # the project update playbook uses the git, hg, or svn modules
-            return json.loads(
+        # to clone repositories, and those modules are prone to printing
-                UriCleaner.remove_sensitive(
+        # raw SCM URLs in their stdout (which *could* contain passwords)
-                    json.dumps(obj.event_data)
+        # attempt to detect and filter HTTP basic auth passwords in the stdout
        # of these types of events
        if obj.event_data.get('task_action') in ('git', 'hg', 'svn'):
            try:
                return json.loads(
                    UriCleaner.remove_sensitive(
                        json.dumps(obj.event_data)
                    )
                )
-            )
+            except Exception:
-        except Exception:
+                logger.exception("Failed to sanitize event_data")
-            logger.exception("Failed to sanitize event_data")
+                return {}
-            return {}
+        else:
            return obj.event_data
 class AdHocCommandEventSerializer(BaseSerializer):
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@@ -1232,10 +1232,12 @@ class BaseTask(object):
            # this is a _little_ expensive to filter
            # with regex, but project updates don't have many events,
            # so it *should* have a negligible performance impact
            task = event_data.get('event_data', {}).get('task_action')
            try:
-                event_data_json = json.dumps(event_data)
+                if task in ('git', 'hg', 'svn'):
-                event_data_json = UriCleaner.remove_sensitive(event_data_json)
+                    event_data_json = json.dumps(event_data)
-                event_data = json.loads(event_data_json)
+                    event_data_json = UriCleaner.remove_sensitive(event_data_json)
                    event_data = json.loads(event_data_json)
            except json.JSONDecodeError:
                pass